Overview
CVE-2025-10039 is a medium-severity security vulnerability affecting the ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress. This vulnerability allows authenticated attackers with Subscriber-level access (and higher roles) to read the contents of all support tickets within the system. This is achieved through an Insecure Direct Object Reference (IDOR) in the ‘eh_crm_ticket_single_view_client’ function, due to a lack of proper validation on a user-controlled key.
The vulnerability was published on 2025-11-21 and impacts versions up to and including 3.2.9 of the plugin.
Technical Details
The root cause of this vulnerability lies in the eh_crm_ticket_single_view_client function within the plugin’s codebase. Specifically, the code lacks proper validation to ensure that the user requesting access to a support ticket is authorized to view it. An attacker can manipulate the ticket ID parameter to access tickets that do not belong to them.
The vulnerability is located within the includes/class-crm-ajax-functions.php file. The vulnerable function retrieves ticket data based on the provided ID without verifying if the current user has the necessary permissions to view that particular ticket. This allows an attacker with even the lowest level of access (Subscriber) to potentially view sensitive customer data contained within support tickets.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-10039 is 4.3 (Medium).
- Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Explanation: This translates to Network attack vector, Low attack complexity, Low privileges required (Subscriber and above), No user interaction, No scope change, Low confidentiality impact, No integrity impact, and No availability impact. While the confidentiality impact is only rated as Low, the exposure of potentially all support tickets is a significant concern.
Possible Impact
The impact of this vulnerability is significant:
- Data Breach: Attackers can gain access to sensitive customer data contained within support tickets, including personal information, financial details, and private communications.
- Reputation Damage: A successful exploit can lead to a loss of trust and damage to the organization’s reputation.
- Compliance Issues: Depending on the data exposed, the breach may violate data privacy regulations such as GDPR or CCPA.
Mitigation and Patch Steps
The recommended mitigation is to update the ELEX WordPress HelpDesk & Customer Ticketing System plugin to the latest version as soon as possible. The vulnerability has been patched in versions released after 3.2.9. You can update the plugin directly through the WordPress dashboard.
- Update the Plugin: Go to your WordPress dashboard, navigate to “Plugins,” and check for updates for the ELEX WordPress HelpDesk & Customer Ticketing System plugin. If an update is available, install it immediately.
- Verify the Update: After updating, verify that the plugin version is higher than 3.2.9.
- Monitor Activity: Keep a close eye on user activity logs for any suspicious behavior.
